公开(公告)号：US20130156182A1

公开(公告)日：2013-06-20

申请号：US13674226

申请日：2012-11-12

申请人： Karl Norrman ,  Mats Naslund

发明人： Karl Norrman ,  Mats Naslund

IPC分类号： H04L9/08

CPC分类号： H04W12/06 ,  H04L9/065 ,  H04L9/0819 ,  H04L9/0838 ,  H04L9/0866 ,  H04L9/0869 ,  H04L9/0891 ,  H04L9/14 ,  H04L9/3271 ,  H04L2209/24 ,  H04L2209/80 ,  H04L2463/061 ,  H04W12/04

摘要： A technique for generating a cryptographic key is provided. The technique is particularly useful for protecting the communication between two entities cooperatively running a distributed security operation. The technique comprises providing at least two parameters, the first parameter comprising or deriving from some cryptographic keys which have been computed by the first entity by running the security operation; and the second parameter comprising or deriving from a token, where the token comprises an exclusive OR of a sequence number (SQN) and an Anonymity Key (AK). A key derivation function is applied to the provided parameters to generate the desired cryptographic key.

公开(公告)号：US20110255695A1

公开(公告)日：2011-10-20

申请号：US13141435

申请日：2008-12-23

申请人： Fredrik Lindholm ,  Mattias Johanson ,  Karl Norrman

发明人： Fredrik Lindholm ,  Mattias Johanson ,  Karl Norrman

IPC分类号： H04L9/08

CPC分类号： H04L9/0833

摘要： The present invention relates to a key management method to establish selective secret information in multiple disjoint groups, more specifically to a method of reducing the broadcast size in access hierarchies and localize and facilitate management in said access hierarchies. The key management method selects a number of subgroups. Each subgroup supports an instance of a key distribution method for receiving distributed key material, and is capable of computing a usage security key based on the distributed key material and predefined user group key material.

摘要翻译： 本发明涉及一种用于在多个不相交组中建立选择性秘密信息的密钥管理方法，更具体地涉及一种在接入层次中降低广播大小的方法，并且在所述接入层次中进行本地化和便利管理。 密钥管理方法选择多个子组。 每个子组支持用于接收分布式密钥材料的密钥分发方法的实例，并且能够基于分布式密钥材料和预定义的用户组密钥材料来计算使用安全密钥。

公开(公告)号：US20100263040A1

公开(公告)日：2010-10-14

申请号：US12681212

申请日：2008-07-30

申请人： Karl Norrman ,  Ghyslain Pelletier ,  Magnus Lindstrom

发明人： Karl Norrman ,  Ghyslain Pelletier ,  Magnus Lindstrom

IPC分类号： H04L29/06 ,  H04W12/00

CPC分类号： H04L63/12 ,  H04W12/10 ,  H04W88/08

摘要： A method and apparatus is provided for detecting the start of a secure mode by a user terminal (12) without explicit signaling. After the network (30) commands the user terminal to switch to secure mode and receives a data packet from the user terminal, the receiving network node (22) determines the security mode of the user terminal by determining whether valid security has been applied to the received data packet by the user terminal.

摘要翻译： 提供了一种方法和装置，用于在没有明确信令的情况下检测用户终端（12）开始安全模式。 在网络（30）命令用户终端切换到安全模式并从用户终端接收数据分组之后，接收网络节点（22）通过确定是否将有效的安全性应用于用户终端来确定用户终端的安全模式 由用户终端接收数据包。

公开(公告)号：US20080181411A1

公开(公告)日：2008-07-31

申请号：US11956815

申请日：2007-12-14

申请人： Karl Norrman ,  Mats Näslund

发明人： Karl Norrman ,  Mats Näslund

IPC分类号： H04L9/08

CPC分类号： H04L9/3242 ,  H04J11/0069 ,  H04L9/0844 ,  H04L9/0861 ,  H04L63/061 ,  H04L63/12 ,  H04L2209/80 ,  H04L2463/061 ,  H04W12/04 ,  H04W12/10 ,  H04W36/0038

摘要： A path switch message in a mobile radio access network is protected as the message is sent over a user plane interface that may be insecure (e.g. lacks integrity and/or confidentiality protection). According to the invention a UE provides an AP with a fresh integrity key over an already existing and secure RAN channel enabling AP to use the integrity key to integrity protect information sent to a UPN. Specifically, UE derives locally at least a user plane key K1. The key derivation is done at authentication e.g. when performing an AKA procedure. On the network side CPN derives the same key K1 for delivery to UPN. At handover, the UE generates a fresh integrity key K3 by applying a Key Derivation Function (KDF) with at least the UP key K1 and a nonce, e.g. a sequence number.

摘要翻译： 当消息通过可能不安全的用户平面接口（例如，缺乏完整性和/或机密性保护）发送时，移动无线电接入网络中的路径切换消息被保护。 根据本发明，UE通过已经存在和安全的RAN信道向AP提供新鲜完整性密钥，使得AP能够使用完整性密钥来完整性地保护发送到UPN的信息。 具体地说，UE本地至少导出用户面密钥K1。 密钥导出是在认证例如 当执行AKA程序时。 在网络侧，CPN得到与UPN相同的密钥K1。 在切换时，UE通过应用具有至少UP密钥K1和随机数的密钥导出函数（KDF）来生成新的完整性密钥K3。 一个序列号。

公开(公告)号：US20150079941A1

公开(公告)日：2015-03-19

申请号：US14400228

申请日：2012-05-15

申请人： Jari Arkko ,  Anna Larmo ,  Karl Norrman ,  Bengt Sahlin ,  Kristian Slavov

发明人： Jari Arkko ,  Anna Larmo ,  Karl Norrman ,  Bengt Sahlin ,  Kristian Slavov

IPC分类号： H04W12/06 ,  H04W68/00 ,  H04W12/04

CPC分类号： H04W12/06 ,  H04L9/3226 ,  H04L63/0876 ,  H04L63/123 ,  H04L2209/38 ,  H04L2209/80 ,  H04W4/70 ,  H04W12/00514 ,  H04W12/04 ,  H04W12/10 ,  H04W68/00 ,  H04W68/025

摘要： There is described a device for communicating with a network. The device receives a series of paging messages from a serving node in the network, where each paging message includes identification and authentication information sufficient to identify at least one device and authenticate the message, at least some of the information having been protected according to a sequence such that it varies between successive paging messages. The device verifies the protected part of the information using a cryptographic function and knowledge of the sequence and identifies whether the information indicates that message is an authentic message intended for that device. The device may act in response to the received paging message.

摘要翻译： 描述了用于与网络进行通信的设备。 该设备从网络中的服务节点接收一系列寻呼消息，其中每个寻呼消息包括足以识别至少一个设备并认证消息的标识和认证信息，至少一些信息已经根据序列被保护 使得它在连续的寻呼消息之间变化。 设备使用加密功能和序列的知识来验证信息的受保护部分，并且识别信息是否指示该消息是用于该设备的真实消息。 该设备可以响应于接收到的寻呼消息而起作用。

公开(公告)号：US08929543B2

公开(公告)日：2015-01-06

申请号：US13634920

申请日：2011-03-16

申请人： Karl Norrman ,  Tomas Hedberg ,  Mats Naslund

发明人： Karl Norrman ,  Tomas Hedberg ,  Mats Naslund

IPC分类号： H04L9/00 ,  H04W36/00 ,  H04W12/04

CPC分类号： H04L9/08 ,  H04L63/06 ,  H04W12/04 ,  H04W12/08 ,  H04W36/0038 ,  H04W36/12

摘要： A method comprises maintaining, in a first node serving a mobile terminal over a connection protected by at least one first key, said first key and information about the key management capabilities of the mobile terminal. Upon relocation of the mobile terminal to a second node the method includes: if, and only if, said key management capabilities indicate an enhanced key management capability supported by the mobile terminal, modifying, by said first node, the first key, thereby creating a second key, sending, from the first node to the second node, the second key, and transmitting to the second node the information about the key management capabilities of the mobile terminal.

摘要翻译： 一种方法包括在通过由至少一个第一密钥保护的连接上为移动终端服务的第一节点中保留所述第一密钥和关于移动终端的密钥管理能力的信息。 在将移动终端重新定位到第二节点时，该方法包括：如果并且仅当所述密钥管理能力指示由移动终端支持的增强密钥管理能力时，由所述第一节点修改第一密钥，从而创建 第二密钥，从第一节点向第二节点发送第二密钥，并向第二节点发送关于移动终端的密钥管理能力的信息。

公开(公告)号：US20140369315A1

公开(公告)日：2014-12-18

申请号：US14374455

申请日：2012-04-24

申请人： Karl Norrman

发明人： Karl Norrman

IPC分类号： H04W36/00 ,  H04W12/08 ,  H04L29/06 ,  H04W40/04

CPC分类号： H04W36/0083 ,  H04L63/1466 ,  H04L63/20 ,  H04L63/205 ,  H04W12/08 ,  H04W12/12 ,  H04W36/0038 ,  H04W36/08 ,  H04W40/04

摘要： The invention provides a system and method for repairing corrupt security information. At a serving node in a telecommunications network, security capabilities of a terminal are received when the terminal registers with the serving node. The received security capabilities are stored. A path switch request message is received from a target base station following an X2 handover request sent from a source base station to the target base station for handover of the terminal, the path switch request including the security capabilities of the terminal. The serving node determines whether the security capabilities of the terminal stored in the storage medium should be sent to the target base station. If so, the serving node sends the stored security capabilities of the terminal to the target base station for use in reselecting security algorithms to be used in communications between the target base station and terminal following the handover.

摘要翻译： 本发明提供了修复损坏的安全信息的系统和方法。 在电信网络的服务节点，当终端向服务节点注册时，接收终端的安全能力。 收到的安全功能被存储。 在从源基站发送到目标基站的终端的切换的X2切换请求之后，从目标基站接收到路径切换请求消息，路径切换请求包括终端的安全能力。 服务节点确定存储在存储介质中的终端的安全能力是否应发送到目标基站。 如果是，则服务节点将存储的终端的安全能力发送到目标基站，用于重新选择要在切换后的目标基站和终端之间的通信中使用的安全算法。

公开(公告)号：US08533455B2

公开(公告)日：2013-09-10

申请号：US12129419

申请日：2008-05-29

申请人： Wassim Haddad ,  Karl Norrman ,  Conny Larsson

发明人： Wassim Haddad ,  Karl Norrman ,  Conny Larsson

IPC分类号： H04L9/32

CPC分类号： H04L9/0844 ,  H04L9/3297 ,  H04L63/0823 ,  H04L2209/76 ,  H04L2209/80 ,  H04W80/02 ,  H04W80/04

摘要： Methods and apparatuses for combining internet protocol layer authentication and mobility signaling are disclosed. Various embodiments for providing authentication and mobility signaling when a mobile node moves from a 3GPP access network to a non 3GPP access network and vice versa are described.

摘要翻译： 公开了用于组合互联网协议层认证和移动性信令的方法和装置。 描述了当移动节点从3GPP接入网络移动到非3GPP接入网络时提供认证和移动性信令的各种实施例，反之亦然。

公开(公告)号：US20130124757A1

公开(公告)日：2013-05-16

申请号：US13520301

申请日：2010-01-04

申请人： Karl Norrman ,  Jukka Ylitalo ,  Mats Näslund ,  Pekka Nikander

发明人： Karl Norrman ,  Jukka Ylitalo ,  Mats Näslund ,  Pekka Nikander

IPC分类号： H04L12/56

CPC分类号： H04L45/00 ,  H04L63/04 ,  H04L63/06

摘要： Methods and arrangements for supporting a forwarding process in routers when routing data packets through a packet-switched network, by employing hierarchical parameters in which the hops of a predetermined transmission path between a sender and a receiver are encoded. A name server generates and distributes router-associated keys to routers in the network which keys are used for computing the hierarchical parameters.

摘要翻译： 通过采用编码发送器和接收器之间的预定传输路径的跳的层次参数来支持通过分组交换网络路由数据分组时在路由器中的转发过程的方法和装置。 名称服务器生成并将与路由器相关的密钥分发给网络中用于计算分层参数的密钥的路由器。

公开(公告)号：US08442006B2

公开(公告)日：2013-05-14

申请号：US12743694

申请日：2007-11-23

申请人： Wassim Haddad ,  Karl Norrman

发明人： Wassim Haddad ,  Karl Norrman

IPC分类号： H04W4/00

CPC分类号： H04L63/0823 ,  H04L63/0807 ,  H04W12/06 ,  H04W36/0011 ,  H04W84/12

摘要： A method of performing hand-off of a Mobile Node from a previous Access Point to a new Access Point within a WLAN domain, where the previous and new Access Points are connected respectively to previous and new Access Routers. The method comprises, following a MAC authentication exchange between the Mobile Node and the new Access Point, sending a MAC Reassociation Request from the Mobile Node to the New Access Point, forwarding said Reassociation Request to said new Access Router, and sending the Reassociation Request from said new Access Router to said previous Access Router within an IP hand-off request, and authenticating the Reassociation Request at the previous Access Router and initiating the tunnelling of IP packets received at the previous Access Router and destined for said Mobile Node, towards said new Access Router.

摘要翻译： 执行移动节点从先前接入点切换到WLAN域内的新接入点的方法，其中先前和新的接入点分别连接到先前和新的接入路由器。 该方法包括：在移动节点和新的接入点之间的MAC认证交换之后，从移动节点向新的接入点发送MAC重新关联请求，将所述重新关联请求转发到所述新的接入路由器，并将所述重新关联请求从 在IP切换请求中将所述新的接入路由器表示到所述先前的接入路由器，并且在先前的接入路由器上认证重新发送请求，并且发起在先前的接入路由器接收并发往所述移动节点的IP分组的隧道，朝向所述新的 接入路由器